formbook | 23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e | Triage

Sharing

General

Target

23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e.exe
Size

726KB
Sample

241106-cpa68stdmp
MD5

88153ac6837f5034a7ab44259c90f4dd
SHA1

90085bacffa3b6a75252f9e06af2d7ac54886e75
SHA256

23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e
SHA512

fc5fa3bc1ad16fa3e1e8988253da0479b9235c7d051d82cde50e3da6ca95acff6d20483b4dc52778015f2344cc1edca68e9b184f8f507479b3ada5bf594be8cc
SSDEEP

12288:MOX2iRzjEZ3eBNdQ6LN5LD8MYoSrwb+dpXeboencW3:MOmYzwIBDRjLHY7rhXeDncW3

Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

- Target
  
  23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e.exe
- Size
  
  726KB
- MD5
  
  88153ac6837f5034a7ab44259c90f4dd
- SHA1
  
  90085bacffa3b6a75252f9e06af2d7ac54886e75
- SHA256
  
  23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e
- SHA512
  
  fc5fa3bc1ad16fa3e1e8988253da0479b9235c7d051d82cde50e3da6ca95acff6d20483b4dc52778015f2344cc1edca68e9b184f8f507479b3ada5bf594be8cc
- SSDEEP
  
  12288:MOX2iRzjEZ3eBNdQ6LN5LD8MYoSrwb+dpXeboencW3:MOmYzwIBDRjLHY7rhXeDncW3
Score

10^/10

formbook bc01 discovery execution rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookbc01discoveryexecutionratspywarestealertrojan

behavioral2

formbookbc01discoveryexecutionratspywarestealertrojan